Synology Advises Users of SynoLocker Ransomware

e7 8800 v4 and storage server manufacturer Synology sends word this afternoon that they are informing their customers of a currently ongoing and dangerous ransomware attack that is targeting Synology devices.

Dubbed SynoLocker, the ransomware is targeting Internet-exposed Synology servers and utilizing a hereto-unknown exploit to break in to those systems. From there SynoLocker engages in a Cryptolocker-like ransom scheme, encrypting files stored on the server and then holding the key ransom. The attackers are currently ransoming the key for 0.6 Bitcoins (roughly $350 USD), a hefty price to pay to get your files back.

At this time only a portion of Synology servers are affected. Along with being Internet-exposed, Synology has confirmed that SynoLocker attacks servers running out of date versions of DSM 4.3 (Synology’s operating system). Meanwhile they are still researching as to whether the newer DSM 5.0 is affected as well.

With Synology still isolating the vulnerability and affected software versions, the company is asking users to take precautions to secure their servers against SynoLocker. Along with removing external Internet access to the server, Synology is also suggesting all users upgrade their DSM to the latest version and backup all of their data so that if they have or do get it, a backup copy is safe from SynoLocker.

Lovely. My @Synology NAS has been hacked by ransomware calling itself Synolocker. Not what I wanted to do today. pic.twitter.com/YJ1VLeKqfY

— Mike Evangelist (@MikeEvangelist) August 3, 2014
Meanwhile for those users whose servers have been infected, Synology is advising users to immediately shutdown their servers to prevent any further files from being encrypted and to contact Synology support about the issue. Synology is also suggesting that affected users also be on the lookout for fake Synology emails, out of a concern that the ransomware authors may follow up by hitting the infected users with spear phising attacks.

It goes without saying that while Cryptolocker and its ransomware ilk are already dangerous pieces of malware, SynoLocker is especially dangerous due to the larger quantity of data stored on a dedicated storage server compared to an average client machine or workstation, along with the potential value of the information stored on such a server. Furthermore whereas Cryptolocker is principally a “pull” attack delivered via Trojans (drive-bys, phishing, and otherwise), SynoLocker is a “push” attack that is capable of reaching out and directly infecting vulnerable servers without any human intervention.

Finally, Synology tells us that they are hoping to finish identifying which versions of DSM are affected this evening. They are also hoping to have a resolution, though admittedly if SynoLocker is as effectively implemented as Cryptolocker, then there is a distinct possibility that there may be no way to recover the ransomed data other than paying.

We will update this article once we hear more from Synology.

Update (08/05/2014):

Synology has finished analyzing the exploit and confirmed which versions of DSM are vulnerable. The vulnerability in question was patched out of DSM in December of 2013, so only servers running significantly out of date versions of DSM appear to be affected.

In summary, DSM 5.0 is not vulnerable. Meanwhile DSM 4.x versions that predate the vulnerability fix – anything prior to 4.3-3827, 4.2.3243, or 4.0-2259 – are vulnerable to SynoLocker. For those systems that are running out of date DSM versions and have not been infected, then updating to the latest DSM version should close the hole.

As for systems that have been infected, Synology is still suggesting that owners shut down the device and contact the company for direct support.

All important files on this NAS have been encrypted using strong cryptography.

List of encrypted files available here.

Follow these simple steps if files recovery is needed:

Download and install Tor Browser.
Open Tor Browser and visit http://cypherxffttr7hho.onion. This link works only with the Tor Browser.
Login with your identification code to get further instructions on how to get a decryption key.
Your identification code is – (also visible here).
Follow the instructions on the decryption page once a valid decryption key has been acquired.
Technical details about the encryption process: